variables:
  SAM_TEMPLATE: template.yaml
  PERMISSIONS_PROVIDER: OpenID Connect (OIDC)
  TESTING_STACK_NAME: test-stack
  TESTING_REGION: us-east-2
  TESTING_PIPELINE_EXECUTION_ROLE: test-pipeline-execution-role
  TESTING_CLOUDFORMATION_EXECUTION_ROLE: test-cfn-execution-role
  TESTING_ARTIFACTS_BUCKET: test-bucket
  TESTING_IMAGE_REPOSITORY: test-ecr
  PROD_STACK_NAME: prod-stack
  PROD_REGION: us-west-2
  PROD_PIPELINE_EXECUTION_ROLE: prod-pipeline-execution-role
  PROD_CLOUDFORMATION_EXECUTION_ROLE: prod-cfn-execution-role
  PROD_ARTIFACTS_BUCKET: prod-bucket
  PROD_IMAGE_REPOSITORY: prod-ecr
  # By default, when using docker:dind, Docker uses the vfs storage
  # driver which copies the file system on every run.
  # This is a disk-intensive operation which can be avoided if a different driver is used.
  # For example overlay2
  DOCKER_DRIVER: overlay2
  # Create the certificates inside this directory for both the server
  # and client. The certificates used by the client will be created in
  # /certs/client so we only need to share this directory with the
  # volume mount in `config.toml`.
  DOCKER_TLS_CERTDIR: "/certs"

# Should always specify a specific version of the image. If using a tag like docker:stable,
# there will be no control over which version is used. Unpredictable behavior can result.
image: docker:19.03.15

services:
    - docker:19.03.15-dind

before_script:
  - apk add --update python3 py-pip python3-dev build-base libffi-dev
  - pip install --upgrade pip
  - pip install awscli aws-sam-cli

stages:
  - unit-test
  - build
  - testing
  - prod

# uncomment and modify the following step for running the unit-tests
#
#unit-test:
#  stage: unit-test
#  only:
#    - main
#    - /^feature-.*$/
#  script: |

# This stage is triggered only for feature branches (feature*),
# which will build the stack and deploy to a stack named with branch name.
build-and-deploy-feature:
  stage: build
  only:
    - /^feature-.*$/
  script:
    - . assume-role.sh ${TESTING_PIPELINE_EXECUTION_ROLE} feature-deployment "${PERMISSIONS_PROVIDER}"
    - sam build --template ${SAM_TEMPLATE} --use-container
    - sam deploy --stack-name $(echo ${CI_COMMIT_REF_NAME} | tr -cd '[a-zA-Z0-9-]')
                 --capabilities CAPABILITY_IAM
                 --region ${TESTING_REGION}
                 --s3-bucket ${TESTING_ARTIFACTS_BUCKET}
                 --image-repository ${TESTING_IMAGE_REPOSITORY}
                 --no-fail-on-empty-changeset
                 --role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}

# This stage is triggered for main branch you set in the question,
# which will build the stack, package the application, upload the
# applications artifacts to Amazon S3 and output the SAM template file.
build-and-package:
  stage: build
  only:
    - main
  script:
    - sam build --template ${SAM_TEMPLATE} --use-container

    - . assume-role.sh ${TESTING_PIPELINE_EXECUTION_ROLE} testing-stage-packaging "${PERMISSIONS_PROVIDER}"

    - sam package --s3-bucket ${TESTING_ARTIFACTS_BUCKET}
                   --image-repository ${TESTING_IMAGE_REPOSITORY}
                   --region ${TESTING_REGION}
                   --output-template-file packaged-testing.yaml

    - . assume-role.sh ${PROD_PIPELINE_EXECUTION_ROLE} prod-stage-packaging "${PERMISSIONS_PROVIDER}"

    - sam package --s3-bucket ${PROD_ARTIFACTS_BUCKET}
                  --image-repository ${PROD_IMAGE_REPOSITORY}
                  --region ${PROD_REGION}
                  --output-template-file packaged-prod.yaml

  artifacts:
    paths:
      - packaged-testing.yaml
      - packaged-prod.yaml

# This stage is triggered for main branch you set in the question,
# which will deploy the testing stage SAM application using
# the templated file generated.
deploy-testing:
  stage: testing
  only:
    - main
  script:
    - . assume-role.sh ${TESTING_PIPELINE_EXECUTION_ROLE} testing-deployment "${PERMISSIONS_PROVIDER}"
    - sam deploy --stack-name ${TESTING_STACK_NAME}
                 --template packaged-testing.yaml
                 --capabilities CAPABILITY_IAM
                 --region ${TESTING_REGION}
                 --s3-bucket ${TESTING_ARTIFACTS_BUCKET}
                 --image-repository ${TESTING_IMAGE_REPOSITORY}
                 --no-fail-on-empty-changeset
                 --role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}

# Uncomment and modify the following stage for integration tests
#
#integration-test:
#  stage: testing
#  only:
#    - main
#  script: |
#    #trigger the integration tests here

# This stage is triggered for main branch you set in the question,
# which will deploy the prod stage SAM application using
# the templated file generated.
deploy-prod:
  stage: prod
  # uncomment this to have a manual approval step before deployment to production
  # when: manual
  only:
    - main
  script:
    - . assume-role.sh ${PROD_PIPELINE_EXECUTION_ROLE} prod-deployment "${PERMISSIONS_PROVIDER}"
    - sam deploy --stack-name ${PROD_STACK_NAME}
                 --template packaged-prod.yaml
                 --capabilities CAPABILITY_IAM
                 --region ${PROD_REGION}
                 --s3-bucket ${PROD_ARTIFACTS_BUCKET}
                 --image-repository ${PROD_IMAGE_REPOSITORY}
                 --no-fail-on-empty-changeset
                 --role-arn ${PROD_CLOUDFORMATION_EXECUTION_ROLE}